valitydev/SigmaHQ
14
0
Fork 0
mirror of https://github.com/valitydev/SigmaHQ.git synced 2024-11-07 09:48:58 +00:00
Code Issues Actions Packages Projects Releases Wiki Activity
c865b0e9a8
SigmaHQ/rules/windows/builtin/win_susp_samr_pwset.yml
Thomas Patzke 91b3c39c0d Amended condition 
Changed condition according to proposed syntax for related event matching (#4)
2017-06-11 23:54:19 +02:00

19 lines
767 B
YAML
Raw Blame History

title: Possible remote password change (NTLM hash only) through SAMR
description: Detects a possible remote NTLM hash change through SAMR API SamiChangePasswordUser() or SamSetInformationUser(). "Audit User Account Management" in "Advanced Audit Policy Configuration" has to be enabled in your local security policy / GPO to see this events.
author: Dimitrios Slamaris
logsource:
product: windows
service: security
detection:
samrpipe:
- EventLog: Security
EventID: 5145
RelativeTargetName: samr
passwordchanged:
- EventLog: Security
EventID: 4738
PasswordLastSet: (any)
timeframe: 15s
condition: samrpipe | near passwordchanged within timeframe
level: medium
Reference in New Issue View Git Blame Copy Permalink